دعم الموقع
الدعم → دعم API
Can't access API anymore with Vercel proxy : Error 403 - Host not permitted
نشر بواسطة dualshoteSTAFFMOD في نوفمبر 20, 2024 عند الساعة 3:36 صباحا
Hello,
Since yesterday, my production application no longer works.
I use Vercel's serverless functions as a proxy for my front-end requests to the TMDB API. This function adds the Bearer token to http headers so that users don't see my API token.
// Vercel serverless function to proxy TMDB API requests
import { createProxyMiddleware } from 'http-proxy-middleware';
import type { Request, Response } from 'express';
const apiProxy = createProxyMiddleware({
target: process.env['TMDB_API_URL'],
changeOrigin: true,
pathRewrite: {
'^/api': '',
},
onProxyReq: proxyReq => {
proxyReq.setHeader(
'Authorization',
`Bearer ${process.env['TMDB_API_TOKEN']}`
);
},
});
export default async function (req: Request<any>, res: Response<any>) {
return apiProxy(req, res, () => ({}));
}
Until yesterday, everything had been running smoothly for over 8 months.
Error logs returned by the proxy function :
[Proxy Response] {
statusCode: 403,
path: '/configuration',
headers: {
'content-type': 'text/plain',
'transfer-encoding': 'chunked',
connection: 'close',
date: 'Wed, 20 Nov 2024 08:34:23 GMT',
server: 'openresty',
'content-encoding': 'gzip',
vary: 'Accept-Encoding,accept-encoding, Origin',
'x-cache': 'Error from cloudfront',
via: '1.1 b09c8a20b29053a362f3c1085a0f8990.cloudfront.net (CloudFront)',
'x-amz-cf-pop': 'MRS52-P5',
'alt-svc': 'h3=":443"; ma=86400',
'x-amz-cf-id': 'wuVqwl7l58qHOjPJgJOfAgVIy7IMNAVgCnvhFOui9-kgrlbTQO3L9Q=='
}
}
There is a possibility that my Vercel host has been blocked ?
When i try to use TMDB API with postman or with an other proxy there is no problem.
Thanks for helping.
رد بواسطة Travis Bell
بتاريخ نوفمبر 20, 2024 في 11:07 صباحا
Hi @dualshote,
I would assume this has to do with some security work we've been doing over the past week or so. We found an open issue where we were not enforcing the allowed host values, which could let 3rd parties masquerade as if they were the ones running
api.themoviedb.orgwith a different domain.The only way you'd be tripping over this change is if that is precisely what this proxy is inadvertently doing. Are you able to set the
X-Forwarded-Hostheader by any chance? Set it toapi.themoviedb.org, of course.رد بواسطة JoshuaNitschke
بتاريخ نوفمبر 20, 2024 في 12:23 مساءا
Thanks, I had the same issue and adding the header fixed it for me.
رد بواسطة dualshote
بتاريخ نوفمبر 20, 2024 في 2:25 مساءا
Hi @travisbell ,
The problem is now fixed by adding the header "X-Forwarded-Host" to "api.themoviedb.org".
https://www.movie-catalog.io/ is now online ;)
Thanks a lot for your help !
رد بواسطة JoshuaNitschke
بتاريخ نوفمبر 20, 2024 في 2:36 مساءا
@travisbell in my app, we are still seeing some previous calls that were made earlier today without the X-Forward-Host still error when we execute with the new header being passed. Is there some caching on TMDB API that might explain that?
رد بواسطة Waffiq
بتاريخ نوفمبر 21, 2024 في 12:01 صباحا
I recommend you to provide TMDB attributes to follow the term of use. It would be great to give credits for developers and helps people find the original resource. Source? term of use and logo.
رد بواسطة dualshote
بتاريخ نوفمبر 21, 2024 في 3:30 صباحا
Hello @waffiqaziz ,
For sure i will provide TMDB attributes, the app is in development, not terminated ;) I had it in my todolist but I'll add it as a priority.
Thanks
رد بواسطة Waffiq
بتاريخ نوفمبر 22, 2024 في 9:26 صباحا
glad to hear that
Nice, you can add it on about or legal page, i've notice that you have it but not yet developed
رد بواسطة tim_cook
بتاريخ يناير 12, 2025 في 5:52 صباحا
Hello @travisbell I'm still facing the issue even after adding the
X-Forwarded-Host. I'm hitting my AWS API gateway from postman and getting: 403 "Host not Permitted", could you please help here?رد بواسطة tim_cook
بتاريخ يناير 14, 2025 في 2:06 صباحا
@travisbell
I tried sending the
X-Forwarded-Hostfrom the client side, but I'm getting a 403 Host not permitted error.Apparently, I'm unable to set or modify the
X-Forwarded-Hostin my API gateway parameter mapping.When I inspected the headers forwarded by the API gateway to tmdb API, I could see the following:
Could this be the cause of the problem?
Is there any workaround I could use to resolve this issue?
رد بواسطة Travis Bell
بتاريخ يناير 14, 2025 في 11:56 صباحا
@tim_cook Have you tried setting your request headers as described in the API Gateway docs?
رد بواسطة tim_cook
بتاريخ يناير 21, 2025 في 12:23 مساءا
@travisbell Since I'm using AWS HTTP API gateway I cannot add template mapping. This issue started occurring all of a sudden. Earlier it used to work correctly without having to make any changes on the API gateway level. What specifically am I supposed to update to get this working?
رد بواسطة Travis Bell
بتاريخ يناير 21, 2025 في 1:33 مساءا
Ok, HTTP API Gateway. Isn't that outlined here?
Something along the lines of:
Maybe?
رد بواسطة tim_cook
بتاريخ يناير 23, 2025 في 11:07 صباحا
Yes, I did try updating/appending the header via parameter mapping. However, there are a few reserved headers that cannot be mutated.
From the docs (the link that you shared above)
Reserved headers
The following headers are reserved. You can't configure request or response mappings for these headers.
Is there any other workaround to this? I would greatly appreciate it.
رد بواسطة tim_cook
بتاريخ يناير 28, 2025 في 10:18 صباحا
@travisbell any updates on this?